governing for enterprise security (presentation) · governing for enterprise security julia h....
TRANSCRIPT
page 1
Pittsburgh, PA 15213-3890
© 2005 by Carnegie Mellon University
Governing for Enterprise Security
Julia H. AllenNetworked Systems SurvivabilitySoftware Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213-3890
® CERT, CERT Coordination Center, OCTAVE, CMM, CMMI, and Carnegie Mellon are registered in the U.S. Patent and Trademark Office
Sponsored by the U.S. Department of Defense
© 2005 by Carnegie Mellon University page 2
Definition
“Directing and controlling an organization to establish and sustain a culture of security in the organization's conduct (beliefs, behaviors, capabilities, and actions)”
Builds upon and expands commonly described forms of governance including corporate governance, enterprise governance, and information technology (IT) governance
© 2005 by Carnegie Mellon University page 3
Questions to Ask
What is at risk?
How much security is enough?
How does an enterprise • evolve its approach to security?• achieve and sustain adequate security?
© 2005 by Carnegie Mellon University page 4
Questions to Ask
What is at risk?
How much security is enough?
How does an enterprise • evolve its approach to security?• achieve and sustain adequate
security?
© 2005 by Carnegie Mellon University page 5
What Is At Risk?
• Trust • Reputation; brand • Shareholder/stakeholder value • Market confidence, share, capitalization• Regulatory compliance; fines, jail time• Customer retention, growth • Customer and partner identity, privacy • Ability to offer, fulfill business transactions• Staff morale
© 2005 by Carnegie Mellon University page 6
Trust“The central truth is that information security is a means, not an end. Information security serves the end of trust. Trust is efficient, both in business and in life; and misplaced trust is ruinous, both in business and in life.
Trust makes it possible to proceed where proof is lacking. As an end, trust is worth the price. Without trust, information is largely useless.”
[Dan Geer; “Why Information Security Matters”]
© 2005 by Carnegie Mellon University page 7
Responsibility to Protect Digital Assets
Duty of Care: D&O Governance of Corporate Digital Security
• Govern business operations; protect critical assets
• Protect market share, stock price• Govern employee conduct• Protect reputation• Ensure compliance requirements are met
Business Judgment Rule: That which a reasonably prudent director of a similar corporation would have used[Jody Westby, PricewaterhouseCoopers, Congressional Testimony; case law]
© 2005 by Carnegie Mellon University page 8
Barriers to Tackling Security• Abstract, concerned with hypothetical events• A holistic, enterprise-wide problem; not just
technical• No widely accepted measures/indicators• Disaster-preventing rather than payoff-producing
(like insurance)• Installing security safeguards can have negative
aspects (added cost, diminished performance, inconvenience)
© 2005 by Carnegie Mellon University page 9
Questions to Ask
What is at risk?
How much security is enough?
How does an enterprise • evolve its approach to security?• achieve and sustain adequate security?
© 2005 by Carnegie Mellon University page 10
Shift the Security Perspective
Enterprise problemEnterpriseInvestmentIntegratedEnterpriseProcessEnterprise continuity/resilience
Scope: Technical problemOwnership: ITFunding: ExpenseFocus: IntermittentDriver: ExternalApplication: Platform/practiceGoal: IT security
ToFrom
© 2005 by Carnegie Mellon University page 11
Security to Resiliency
Managing to threat and vulnerability
No articulation of desired state
Possible security technology overkill
Managing to impact and consequence
Adequate security defined as desired state
Security in sufficient balance to cost, risk
to
© 2005 by Carnegie Mellon University page 12
A Resilient Enterprise Is Able To. . .
• withstand systemic discontinuities and adapt to new risk environments [Starr 03]
• be sensing, agile, networked, prepared [Starr 03]
• dynamically reinvent business models and strategies as circumstances change [Hamel 04]
• have the capacity to change before the case for change becomes desperately obvious [Hamel 04]
© 2005 by Carnegie Mellon University page 13
Security Strategy Questions
• What needs to be protected? Why does it need to be protected? What happens if it is not protected?
• What potential adverse consequences need to be prevented? At what cost? How much disruption can we stand before we take action?
• How do we effectively manage the residual risk when protection and prevention actions are not taken?
© 2005 by Carnegie Mellon University page 14
Defining Adequate Security
The condition where the protection strategies
for an organization's critical assets and business processes
are commensurate with the organization's risk appetite and risk tolerances
Risk appetite and risk tolerance as defined by COSO’s Enterprise Risk Management Integrated Framework, September, 2004.
http://www.cert.org/governance/adequate.html
© 2005 by Carnegie Mellon University page 15
Determining Adequate Security Depends On . . .• Enterprise factors: size, complexity, asset criticality,
dependence on IT, impact of downtime
• Market sector factors: provider of critical infrastructure, openness of network, customer privacy, regulatory pressure, public disclosure
• Principle-based decisions: Accountability, Awareness, Compliance, Effectiveness, Ethics, Perspective/Scope, Risk Management, etc.
http://www.cert.org/governance/ges-aware.html
http://www.cert.org/governance/stakeholder.html
© 2005 by Carnegie Mellon University page 16
Adequate Security and Operational Risk
“Appropriate business security is that which protects the business from undue operational risks in a cost-effective manner.” [Sherwood 03]
“With the advent of regulatory agencies assessing a business’s aggregate operational risk, there needs to be a way of looking at the organization as a whole rather than its many parts.” [Milus 04]
[According to Basel II, operational risks are risks of loss resulting from inadequate or failed internal processes, people, and systems or from external events. http://www.bis.org/publ/bcbs107.htm]
© 2005 by Carnegie Mellon University page 17
Questions to Ask
What is at risk?
How much security is enough?
How does an enterprise• evolve its approach to security?• achieve and sustain adequate
security?
© 2005 by Carnegie Mellon University page 18
Evolving the Security Approach
Incident Response
Process Maturation
Vulnerability Management
Security Risk Management
Enterprise Security Management
© 2005 by Carnegie Mellon University page 19
Questions to Ask
What is at risk?
How much security is enough?
How does an enterprise• evolve its approach to security?• achieve and sustain adequate
security?
© 2005 by Carnegie Mellon University page 20
Shift the Security Approach
irregularreactiveimmeasurableabsolute
Ad-hoc and tactical
systematicadaptivemeasuredadequate
Managed and strategic
to
Security activities and measures of security performance are visibly aligned with strategic drivers and critical success factors.
© 2005 by Carnegie Mellon University page 21
Deriving a Framework
CapabilitiesFramework
Standards, guidelines, &
practices
Fieldwork &experience
High performingorganizations
© 2005 by Carnegie Mellon University page 22
Notional Set of Capabilities
Asset Management
Audit
Crisis Management
Enterprise Security Governance
IT Operations
Partner Management
Physical/Facilities Management
Process Management
Project Management
Risk Management
Security Operations
Systems Development
User Management
© 2005 by Carnegie Mellon University page 23
Mobilizing Capabilities to Achieve/Sustain Adequate Security
Critical Success Factors: determine priorities
ES Governance: policy, oversight, sponsorship
Audit: evaluatesRisk Mgmt: clarifies risk tolerance, impacts
IT Ops: delivers secure service, protects assets
Security: defines controls for key IT ops processes
Project Mgmt: plans, tracks, ensures completion
Process Mgmt:enables
© 2005 by Carnegie Mellon University page 24
Critical Success Factors: determine priorities
ES Governance: policy, oversight, sponsorship
Audit: evaluatesRisk Mgmt: clarifies risk tolerance, risks, impacts
IT Ops: delivers secure service, protects assets
Security: defines controls for key IT ops processes
Project Mgmt: plans, tracks, ensures completion
Process Mgmt:enables
Contributing process areas
Process definitions
Actions, Process Definitions,Measures, Status, Plan updates
Evaluation, Eval criteria
Plans, Status,Business case
Results
Tasks, Improvements
Plan inputs, priorities
FindingsExtent of complianceRecommendations
Determine Current State
Evaluate
Strategies, Recommendations,Actions
Priorities
Measures
Prioritized tasking
RequirementsControlsProcess steps
Status, Plan updates, Resources, Measures, New improvements, Business case data
Mobilizing to Achieve/Sustain Adequate Security
IT Ops Processes • Asset Management • Release Mgmt• Configuration Mgmt• Change Mgmt
• Problem/Incident Mgmt• Availability Management• Integrity Management• Confidentiality/Privacy
Management
Prioritized tasking
© 2005 by Carnegie Mellon University page 25
What Does Effective Security Look Like at the Enterprise Level?• No longer solely under IT’s control
• Achievable, measurable objectives are defined and included in strategic and operational plans
• Functions across the organization view security as part of their job (e.g., Audit) and are so measured
• Adequate and sustained funding is a given
• Senior executives visibly sponsor and measure this work against defined performance parameters
• Considered a requirement of being in business
© 2005 by Carnegie Mellon University page 26
What Is Internal Audit’s Role?
• Leverage Audit’s professionalism and enterprise-wide scope
• Supplement compliance activities with risk assessment and process improvement
• Create an enterprise-wide risk-based audit program(*)• Broaden audit scope to address third-party and vendor
risk• Collaborate with IT to mitigate information systems risk
proactively
(*) including enterprise security
[PriceWaterhouseCoopers Internal Audit Global Best Practices; http://www.pwc.com/extweb/service.nsf/docid/D52A08081C25BC3885256F0B00522DF9]
© 2005 by Carnegie Mellon University page 27
Why Should Internal Audit Care?
Responsible for evaluating the adequacy and effectiveness of controls
• Reliability and integrity of financial, operational information
• Effectiveness, efficiency of operations• Safeguarding assets• Compliance with laws, regulations, contracts
Brings a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes
[IIA, Tone at the Top, Issue 23, October 2004.]
© 2005 by Carnegie Mellon University page 28
For More Information• Governing for Enterprise Security
(http://www.cert.org/governance/ges.html)• Enterprise Security Management
(http://www.cert.org/nav/index_green.html)• CERT web site (http://www.cert.org); ITPI web
site (http://www.itpi.org); SEI web site (http://www.sei.cmu.edu)
© 2005 by Carnegie Mellon University page 29
References[Hamel 04] Hamel, Gary; Valikangas, Liisa. “The Quest for Resilience,” Harvard Business Review, September 2003.
[Milus 04] Milus, Stu. “The Institutional Need for Comprehensive Auditing Strategies.” Information Systems Control Journal, Volume 6, 2004.
[Sherwood 03] Sherwood, John; Clark; Andrew; Lynas, David. “Systems and Business Security Architecture.” SABSA Limited, 17 September 2003. Available at http://www.alctraining.com.au/pdf/SABSA_White_Paper.pdf.
[Starr 03] Starr, Randy; Newfrock, Jim; Delurey, Michael. “Enterprise Resilience: Managing Risk in the Networked Economy.” strategy+business, Spring 2003. Also appears in “Enterprise Resilience: Risk and Security in the Networked World: A strategy+business Reader.” Randall Rothenberg, ed.
[Westby 04] Westby, Jody. “Information Security: Responsibilities of Boards of Directors and Senior Management.” Testimony before the House Committee on Government Reform: Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, September 22, 2004. Available at http://www.reform.house.gov/UploadedFiles/Westby1.pdf.